Deploy-safety harness: get infra out of babysitted deploys (pre-apply gate + classification + auto-rollback + canary) #403
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#403
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Design goals for getting infra changes out of babysitted deploys. Stated as a slice for an infra explorer to expand into concrete work - not a finished spec.
The problem
Every infra issue is currently a babysat deploy, because the infra repo Flux-auto-deploys to the live k3s fleet and the human is the safety net in two automatable places:
pylints Python (.forgejo/workflows/lint.yml) - it neverkustomize builds,kubeconforms, or server-side dry-runs the actual manifests. A broken manifest reaches Flux with no gate.wait: true,timeout: 5m,healthChecks,prune: false, drift-correction) but does not auto-revert. A bad reconcile stays live until a human git-reverts.So a human watches every apply to be the dry-run and the rollback. That does not scale to ~100 open infra issues.
Goal
Build the infra equivalent of ward's pre-commit/CI gate + reaper, so infra changes are safe to fire-and-forget and the backlog can drain autonomously (eventually under
warded director). Replace human-as-safety-net with an automated gate + self-heal.The harness (in leverage order)
kustomize build+kubeconform(schema) +kubectl apply --dry-run=server(live admission/schema - the in-cluster runner can reach the API) +flux build/validate on changed overlays, before the push lands. Catches the majority of cluster-breaking errors with no human, and benefits all ~100 issues at once. Notably this is CI-only, not a cluster apply, so it is itself low blast radius.KustomizationReady=False, or alert->revert.The bootstrapping insight
Do NOT babysit 100 deploys - babysit the few that build this harness, then the rest drain autonomously. The first piece (the validation gate) is CI-only, so building it is itself fire-and-forget-safe: the thing that ends babysitting can be built without babysitting. Items 3-4 touch the live deploy loop / Flux / fleet singletons, so they want supervision while they roll out; after that, infra issues are gate-checked + self-healing and flow without a human.
Grounding (current state)
.forgejo/workflows/lint.yml- the Python-only CI this extends.clusters/kai-server/{apps,infrastructure}.yaml- the Flux Kustomizations withwait/timeout/healthChecks/prune: falsethis builds on (post-apply detection already present; pre-apply gate + auto-rollback are the gaps).deploy/forgejo-runner.yml- a fleet singleton with 2 replicas a canary could use.🔎 ward agent advisor
ward agent advisor --harness codexran a one-shot standard research pass on this question:pre-commit installed at .git/hooks/pre-commit
pre-commit installed at .git/hooks/commit-msg
Researched and posted automatically by
ward agent advisor --harness codex(ward#179). This is one-shot research, not a carried change - verify before acting on it.— Codex, via
ward agent